Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mc user admin svcacct for external managed user with oidc support should be clarify #17913

Open
alexisdondon opened this issue Aug 24, 2023 · 4 comments
Open

mc user admin svcacct for external managed user with oidc support should be clarify #17913

alexisdondon opened this issue Aug 24, 2023 · 4 comments
Assignees
@donatello @ravindk89
Labels
community do-not-close priority: low

Comments

@alexisdondon
Copy link

alexisdondon commented Aug 24, 2023
edited

Is your feature request related to a problem? Please describe.
As a minio administrator, for security reason i want to have the ability to act on service account created by oidc users with minio-console.

The whole scope of admin user svcacct already existing for AD, LDAP, minio users and it's nearly the case for oidc but not documented.

Describe the solution you'd like
As i understand the mechanism, the parentUser for oidc external managed user is a sha256 of sub and issuer.
https://github.com/minio/minio/blob/master/cmd/sts-handlers.go#L490

Let say i am an administrator and i know :

  • the oidc issuer
  • the oidc sub of a user.
  • the minio internal algorithm to compute parentUser

Then:

mc admin user svcacct list myminio computed-oidc-parent-user

Then mc return the list of service account linked to the user and all commands work.

So my question is:

  • is it supported? and the doc should mention if it is.
  • If it is supported, then mc admin usr svcacct list myminio computedoidcparentuser is in error if the computedoidcparentuser begins with -lsomething. mc think this is a command flag.
@alexisdondon alexisdondon mentioned this issue Aug 24, 2023
Closed
@ravindk89
Copy link
Contributor

I don't think we would want to document something that relies on computing hashes by manually smashing these fields together.

@donatello thoughts here? Is there a more clean way we could potentially pass an OIDC user identifier here?

@donatello
Copy link
Member

I don't think we would want to document something that relies on computing hashes by manually smashing these fields together.

@donatello thoughts here? Is there a more clean way we could potentially pass an OIDC user identifier here?

I think it's best to take this as a feature request and add a config to specify a jwt field as the user identifier.

@stale
Copy link

stale bot commented Oct 15, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 15 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Oct 15, 2023
@Scapal
Copy link

Scapal commented Apr 24, 2024

In the same way, when using mc admin user svcacct info to track an AccessKey owner, I end up with a hash as the ParentUser.
I would expect the OpenID preferred_username claim value to be used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@donatello donatello

@ravindk89 ravindk89

Labels
community do-not-close priority: low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@donatello @harshavardhana @Scapal @ravindk89 @alexisdondon